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A Cloudflare vs. Zscaler comparison 
of Zero Trust, SSE, SASE, and beyond 


Comparison overview 


This is a functional comparison for Cloudflare’s and Zscaler’s overall offering aligned to transformational 
network and security trends including Zero Trust (ZT), Security Service Edge (SSE), and Secure Access 
Service Edge (SASE). 37 criteria are organized into five groups: Internet-native network platform; 
cloud-native service platform; services to adopt a SASE architecture; services to extend ZT, SSE SASE, 
and beyond (the current definitions of these market trends); and network on-ramps. Some comparisons 
require more context and clarity, which are so footnoted on the last page. 


For a more conceptual comparison, please visit 


Internet-native network platform 


Criteria Cloudflare | Zscaler FN 
Data center cities available to any customer 270 1 
Distinct clouds (control planes) across data centers ay 2 
Uptime service level agreement 100% 3 
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Single-pass inspection across all edge services 
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Threat research lab 


Cloud-native service platform 


Criteria Cloudflare | Zscaler FN 
Composable architecture YES 5 
Single-pane management interface YES 6 
Serverless compute development platform YES 7 


FedRAMP in progress or authorized YES 8 
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Services to adopt a SASE architecture 


Criteria Cloudflare | Zscaler 
Zero Trust Network Access (ZTNA) 
Cloud Access Security Broker (CASB) 


YES 


YES 


YES 
YES 


On-premise SD-WAN NO - partner NO - partner 


NO 


Services to extend ZT, SSE, SASE, and beyond 


NO 
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Network on-ramps 


Criteria Cloudflare 


Clientless browser-based access YES YES 


Device client software YES YES 


Application connector software YES YES 


Branch connector software NO YES 
Anycast DNS, GRE, IPsec, QUIC, Wireguard tunnels YES NO 
Private network interconnect for data centers & offices NO 
Inbound IP transit (BYOIP) NO 
IPv6-only connection support NO 
Recursive DNS resolvers 


Device clients and DNS resolvers freely open to public 


Comparison results 


31 18 


Overall 37 
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Footnotes (FN) 


1. 


10. 


11. 


12. 


Per cloudflarestatus.com and cloudflare.com/network, 
Cloudflare has public data centers in 270+ cities. Many cities 
are served by more than one data center. As of Jan 2022, per 
trust.zscaler.com and config.zscaler.com, Zscaler has 73 public 
data centers in 55 cities with 13 data centers in no published 
clouds and 11 data centers with auto geo proximity disabled. 
The other claimed 77 data centers do not appear to be publicly 
documented and/or available to any customer. 


Per config.zscaler.com/zscaler.net/cenr, ZIA has seven distinct 
clouds, ZPA has two different distinct clouds, and other 
products like ZDX has more distinct clouds. 


Most services are supported with a 99.999% uptime SLA, but 
their DNS resolver only offers a 99.99% uptime SLA (source). 


For example, a request from a remote user to a private 
self-hosted application can be inspected in one pass on the 
same server within the same data center by SWG, RBI, ZTNA, 
and app security services. 


Composable architecture requires being able to adopt any 
service offered in the platform in any order and have it be 
concurrently interoperable with previously deployed services. 
Zscaler has architectured some of its services to run 
separately on unique architecture that prevents such 
composability, which theses Zscaler articles demonstrate 
(source 1, source 2). 


Cloudflare acquired Area 1 in April 2022. It is on the roadmap to 
integrate Area 1’s email security management into the 
Cloudflare Zero Trust management interface. Zscaler does not 
offer email security, such that this is not an equivalent gap. 
However, Zscaler has separate management interfaces for 
their ZIA and ZPA offerings as well as many of their add-ons 
such as RBI. 


Cloudflare Zero Trust is built on Cloudflare Workers powered by 
V8 isolate technology at our edge. Zscaler uses an older 
container-based architecture, which slows development time and 
adds overhead costs when shipping new features. 


As of June 2022, Cloudflare is FedRAMP in progress, whereas 
Zscaler is FedRAMP authorized. 


Zscaler does not claim to be able to smartly route and accelerate 
traffic from data center to data center over its own network 
backbone. 


While Zscaler does offer branch connector software, it does not 
provide full on-prem SD-WAN functionality and it does not appear in 
analyst research for WAN edge infrastructure. 


Zscaler’s standard RBI technology sends a stream of pixels, 
whereas Cloudflare’s patented network vector rendering technology 
sends a stream of draw commands. Also, as of June 2022, Zscaler 
only runs RBI in 4 data centers. The combination results in a poor 
user experience with many Internet and SaaS applications. 


Since 2021, Cloudflare has been building a DLP service natively 
within our Zero Trust platform. A private beta will be opening soon, 
join our waitlist to learn more. 
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Cloudflare Intrusion Detection is available today in our private beta 
program. Contact your account team to inquire about joining. 


Zscaler does not offer a DDoS protection service. All cloud-native 
service providers have some measure of DDoS protection built into 
their architecture, but this will not effectively mitigate a modern 
DDoS attack. While implementing Zero Trust does keep your 
applications from being directly exposed on the Internet, it does not 
stop contractors or other users with granted access from attacking 
the application via the ZTNA providers’ network. 


In March 2022, Zscaler announced that it added inline application 
protection into its ZTNA offering — ZPA. However, this is not 
equivalent to a full Web Application Firewall (WFA) for both public 
and private addressable applications. And it also lacks bot detection 
capabilities. 


In 2020-21, Zscaler acquired Edgewise Networks for cloud 
workload protection platform (CWPP), Cloudneeti for cloud security 
posture management (CSPM), and Trustdome for cloud 
infrastructure entitlement management (CIEM). It has not integrated 
these cloud security services into its Zero Trust services. 


Cloudflare provides in-browser terminals for SSH and VNC, 
whereas Zscaler provides in-browser terminals for SSH and RDP. 
Many Cloudflare customers use Apache Guacamole to run RDP in 
the browser. 


Zscaler requires virtual machine infrastructure to run its image, 
whereas Cloudflare offers a daemon that can run with or 
without VMs. 


Zscaler requires virtual machine infrastructure to run its image, 
and traffic can only pass through ZIA or ZPA, but not both in 
one pass. 


Zscaler supports Anycast only for DNS resolution. For GRE or 
IPsec tunnels, customers must use an unique IP address per 
Zscaler data center. And it’s app connector and device client 
rely on non-Anycast DTLS tunnels. 


Zscaler’s device client does not support IPv6-only connections 
per their community forums (source) 


Zscaler does not offer free public DNS resolution (e.g. 1.1.1.1) 
and encrypted IP communication (e.g. WARP). 
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